07 February 2016

Bank apps riddled with security holes - researchers

13 January 2014  |  10622 views  |  0 Mobile banking on smartphone

Many of the world's biggest banks have serious security flaws in their mobile apps which could leave customers - and the banks themselves - vulnerable to attackers, research from IOActive suggests.

IOActive researcher Ariel Sanchez used iPhones and iPads to test 40 home banking apps from some of the biggest financial institutions around the world.

The testing found that 90% of the apps contain non-SSL links, enabling any attacker to intercept traffic and inject code in an attempt to create a fake login prompt or similar scam.

Meanwhile, half of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality is exposed, allowing crooks to do things like send SMS or e-mails from the victim's device.

Many apps - 40% - do not validate the authenticity of SSL certificates presented, leaving them open to man-in-the-middle attacks. Nearly three quarters also don't have multi-factor authentication, which could help to mitigate the risk of impersonation attacks.

IOActive says that it has contacted some of the banks about vulnerabilities but argues that the entire industry needs to step up its efforts to protect customers.

Among its suggestions are that all connections are performed using secure transfer protocols, SSL certificate checks are enforced, and the iOS data protection API is used to encrypt sensitive data.

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board, sign up now.

Related blogs

Create a blog about this story (membership required)

Related stories

05 December, 2013
12 August, 2013
02 November, 2012
22 July, 2011
08 November, 2010
27 July, 2010
Your browser is unable to support Flash files.

Top topics

Most viewed Most shared
Fintech rising: Resistance is futile, says...
10712 views comments | 48 tweets | 41 linkedin
Digital transformation driving earnings at...
9082 views comments | 43 tweets | 36 linkedin
ECB eyes up European P2P payments
7729 views comments | 28 tweets | 38 linkedin
Visa opens up to developers
7432 views comments | 23 tweets | 40 linkedin
It may take ten years, but blockchain tech...
6280 views comments | 20 tweets | 19 linkedin

Featured job

to $120K base, double OTE, benefits
New York City, NY or Boston, MA (USA)

Find your next job